By: Lynn McNulty, Executive Consultant, McConnell International

Introduction. In a previous paper I discussed the background and initial manifestations of the Government’s Information Technology (IT) supply chain program. This posting provides additional information about Supply Chain Pilot Projects, Incorporation of Supply Chain Considerations into Special Publication 800-53, and Counterfeit IT Parts

Supply Chain Pilot Projects. Recent briefings given by personnel from the National Institute of Standards and Technology (NIST) reflect that the government is about to implement a series of “Supply Chain Risk Management” (SCRM) pilot projects. The stated purposes of these projects include: (1) provide an incremental rollout of SCRM capabilities; (2) exercise threat informed technical mitigations; (3) exercise lifecycle SCRM techniques; and (4) identify policy gaps. The Department of Defense (DOD) will exercise oversight on the three or four “high priority system” pilots that involve DOD elements. NIST will perform a similar function for civilian agency pilots. The Department of Homeland Security will provide the funding needed to support the civilian agency pilots. These pilot projects are scheduled to being in FY 2009 and extend into FY 2010.

Incorporation of Supply Chain Considerations into Special Publication 800-53. This publication enumerates recommended security controls for government information systems. Special Publication 800-53 was originally issued in 2005 as part of NIST’s guidance to federal agencies for the implementation of the Federal Information Security Management Act (FISMA). The final public draft of revision three of SP 800-53 includes Appendix SA-1, System and Services Acquisition that includes section 12 that specifically addresses the supply chain problem. This document will be issued in final form within the next four to six months, if not sooner.

Counterfeit IT Parts. As discussed in the previous article, the government is very concerned about the problem of counterfeit IT components finding their way into various systems used by the government for national defense and other sensitive programs. The June 3rd edition of the Federal Register contained the information that the Civilian and Defense Acquisition Councils are sponsoring six public meetings to receive information about how to address the problem of counterfeit IT products. Topics to be covered at these meetings include: contractor liability, competitive issues, authentication of IT parts and products, and contractor supply chain risk management as an evaluation factor in the procurement of IT products. These meetings will be held from June 23 to August 12. For additional information see: http://edocket.access.gpo.gov/2009/E9-12927.htm.